ASA with Internet down

Unanswered Question
Oct 24th, 2008


I have an ASA 5520, with few users (50), sometimes the Internet goes down.

First I thought that was an ISP problem.

But if I restart the ASA, the internet goes up.

I don't really want to restart each time my ASA, but it looks like there is no another solution.

Can you help??

The ASA is acting as a DHCP server.

Where do I have to check if the ASA is the problem??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
agustinillanes Fri, 10/24/2008 - 12:50

ASA Version 7,2(3)

Firewall Mode: Routed

Context Mode: Single

There is also installed this module:

Cisco ASA SSM-20

pete.gill Fri, 10/24/2008 - 12:56

When you lose connectivity, can you still connect to the ASA? If so, can you ping your default gateway while it is down?

agustinillanes Fri, 10/24/2008 - 13:08

I am not really sure.

I will try this the next time it happens.

The router has 2 months, and in the last week, 3 times we have this problem.

I will enter a message as soon as I can.

I access via ASDM, I there seems no problem. Anyway, is there another test do I have to do?.

suschoud Fri, 10/24/2008 - 15:36

First of all,you need to make sure that the licensing on asa is correct.It should have a license to allow more then 50 users to access internet.( are u sure there are less then 50 ppl )....

does the internet goes down for everyone or for few ppl.

do u have a static ip or dhcp from isp.

There is a known issue of asa not negotiating ip address after the dhcp lease expires.

if you have a dhcp ip address from isp,try upgrading to 7.2.4 and see if that makes a difference.




agustinillanes Mon, 10/27/2008 - 12:36

Sure that I have less than 50 users.

I have a static IP from the ISP.

When the internet goes down, it does for everyone.

Now, I am monitoring the ASA with only 3 users, lets see what happens.

agustinillanes Wed, 11/12/2008 - 13:21

Hi to everybody again.

I install the ASA with only 2 usuers, all seems to be right, but today after 2 weeks the internet goes down.

I check the ISP and there was no problem.

I can PING my gateway. Also I access the ASA via ADSM and I didn't see anything suspicius.

I have to reset the ASA, and the internet came up again.


william-white Fri, 11/14/2008 - 13:21

Is your ASA configured to use a syslog server? My PIX 515e (before I replaced it with my ASA) would close all ports, disconnecting Internet, when the syslog server went down. Restarting the PIX would bring it back up. Perhaps the ASA does the same thing - it's a security default behavior.

-- Bill

agustinillanes Fri, 11/14/2008 - 13:28

No it is not.

I check the logs output and something suspicius is that I found many Log ID 302013 and 302014, and finally the LOG ID 321001 (buffer)

Some relation???

John Blakley Fri, 11/14/2008 - 13:35

Can you post the messages from the log?

I have a couple of questions:

Is your ASA connected to an ISP's router?

What type of line do you have coming into your building?

If it's DSL, is it a pppoe account?

Do you have a tunnel connected from you to somewhere else that you actually get your internet from?

Can you post a config?



agustinillanes Mon, 11/17/2008 - 08:41


I have this escenario.


The ASA 5520 is directly connected to the Internet, via ADSL. It is not a pppoe account.

I dont have any tunnel.

I tried only with Internet->ASA5520->LAN, and I had the same error. Actually is working with the 2 ASA, and they are working fine, but whenever it stops working and I have to reset both.

All the configuration was made by ADSM.

Here is the configuration of ASA5520 and 5510

ove.hansen Thu, 01/15/2009 - 06:11


Since ASA5520 is a unlimited users edition - it can not be a licensencing problem.

I do think this problem is related to the IPS Module, the IPS is known to lock up when using older versions. Please upgrade software in you IPS.

Also check the Interrim releases of the 7.2.3 This might be a bug that locks up your ASA.

Before upgrading your IPS - a simple reconfig to disable it, when problem is there, will solve your internet throughput lockup.

Best Regards

Ove CCIE#21940

ahmed.badawy Sun, 03/08/2009 - 01:59


issue the command "show shun" from CLI, and if you got any output, check it against your LAN addresses and your outside IP addresses.


This Discussion